Headline

GHSA-528q-4pgm-wvg2: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

Description

The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.

Affected URLs:

/response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E
/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html
/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html

Steps to reproduce:

Visit one of the above mentioned URLs.
XSS window will popup

Suggested fix

Allow Only Safe Content-Type Values Or give users option to define whitelisted Content-Type headers

Criticality

The following can be major impacts of the issue:

Access to victim’s sensitive Personal Identifiable Information.
Access to CSRF token
Cookie injection
Phishing
And any other thing Javascript can perform

3 months ago

ghsa

Open in Source

#xss #csrf #git #java

GitHub Advisory Database
GitHub Reviewed
GHSA-528q-4pgm-wvg2

Reflected XSS in go-httpbin due to unrestricted client control over Content-Type

Package

gomod github.com/mccutchen/go-httpbin (Go)

Affected versions

< 2.18.0

gomod github.com/mccutchen/go-httpbin/v2 (Go)

Description

The go-httpbin framework is vulnerable to XSS as the user can control the Response Content-Type from GET parameter. This allows attacker to execute cross site scripts in victims browser.

Affected URLs:

/response-headers?Content-Type=text/html&xss=%3Cimg/src/onerror=alert(%27xss%27)%3E
/base64/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html
/base64/decode/PGltZy9zcmMvb25lcnJvcj1hbGVydCgneHNzJyk+?content-type=text/html

Steps to reproduce: